Sunday, April 15, 2012

Case o' The Week: Nosal, No Sale, for Gov't -- - Nosal and the CFAA

Chief Judge Alex Kozinski

"Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by gchatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it’s unlikely that you’ll be prosecuted for watching Reason.TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement."

Players: Important win for appellate gurus Ted Sampsell Jones (argued), and Dennis Riordan. Decision by CJ Kozinski, joined by eight judges. Dissent by Judge Silverman, joined by Judge Tallman.

Facts: Nosal worked for an executive search firm. Id. at *1. He started a competing company, and convinced some of his former colleagues to download confidential files from his old firm, to use in his new one. Id. “The employees were authorized to access the database, but [the executive search firm] had a policy that forbade disclosing confidential information.” Id.

Nosal was indicted on many counts, including violations of the Computer Fraud and Abuse Act (CFAA), 18 USC § 1030. Id. Nosal challenged the CFAA counts, arguing that this wasn’t unauthorized access into a computer (hacking), but (if proved true), was theft of data by folks who had legitimate access to the files.

ND Cal District Judge Marilyn Patel agreed and dismissed the CFAA counts, holding that the CFAA prohibits hackers from accessing computer information without authorization – not theft by employees who are authorized to access the data. Id. A three-judge panel reversed. See generally blog description of three-judge panel decision, here.

The case went en banc.Issue(s): “Computers have become an indispensable part of our daily lives. We use them for work; we use them for play. Some-times we use them for play at work. Many employers have adopted policies prohibiting the use of work computers for nonbusiness purposes. Does an employee who violates such a policy commit a federal crime? How about someone who violates the terms of service of a social networking website? This depends on how broadly we read the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030.” Id. at *1 (emphasis added).

Held: “We need not decide today whether Congress could base criminal liability on violations of a company or website’s computer use restrictions. Instead, we hold that the phrase ‘exceeds authorized access’ in the CFAA does not extend to violations of use restrictions. If Congress wants to incorporate misappropriation liability into the CFAA, it must speak more clearly.” Id. at *7.

Of Note: Gallons of ink will be spilled on Nosal and its impact on computer crimes – it is a very important case. Putting all that aside, read Nosal simply for the enjoyment of joyful legal writing. CJ Kozinski – a computer geek in judge’s clothing – gets it: the government’s interpretation of the CFAA would have criminalized logging on a work computer and “g-chatting with friends, playing games, shopping or watching sport hightlights.” Id. at *4.

Are you of a libertarian bend, prone to tuning into “Reason.TV” while at work? Id. Do you hit Ebay, while filling out timesheets and CJA vouchers? Id. at *5 &n.8. Visit Hulu and JDate? Id. Netflix and Pandora? Id. Do you describe yourself on Craigslist’s dating site as “talk dark and handsome,” when you’re really “short and homely?”Id. at *5. The Chief has no problem with you getting fired – but he and the Ninth don’t want you prosecuted for a federal crime.

How to Use: Fellow blogger Steve “Rule of Lenity” Sady loves Nosal - and you should too. CJ Kozinski explains that the rule is not only intended only to protect citizens, who need fair notice of criminal laws. Id. The Rule of Lenity also ensures “that Congress will have fair notice of what conduct its law criminalizes. We construe criminal statutes narrowly so that Congress will not unintentionally turn ordinary citizens into criminals.” Id. at *7. Great quotes for the defense bar’s favorite rule of construction.

For Further Reading: Are you making too much of a “simple little case,” bringing cutting-edge challenges on “silly issues” that make prosecutions slow and expensive? You must have been hanging out with Carl Gunn. For three decades Carl has been the government’s gadfly while serving in three Defender offices – you’ll remember him as the rebel who “gunned” for the Marshal’s shackling policy in L.A.. See Howard blog here.

Carlton Gunn

Carl’s now semi-retired, and is maintaining a very interesting blog in his new private practice life. See "Hanging out with Carl" blog here. Hit Carl’s blog for a great essay on challenging “controlled substance” priors in federal court – it is a valuable new site to add to your RSS feed.

Image of the Honorable Chief Judge Alex Kozinski from http://3.bp.blogspot.com/_9AeuD2eCaOg/TFRLkko-2UI/AAAAAAAAAbY/0W8msHSL2lk/s1600/judge+alex+kozinski.jpg

1 Comments:

You libertarians might stop to think a minute. Because of this decision, prosectutions of Federal employees who access databases outside their authority are now being declined by the various USAOs in the Nineth Circus. This pretty much gives Federal government employees, and probably other levels of government employees, free reign to snoop in rather extensive government databases.